Improve scalabiltiy of bridge network isolation rules

[aboch]

• This reduces complexity from O(N^2) to O(2N)

Related to moby/moby#26435

Reported as example the time measurement for creating 50 bridge networks and for pruning them.
Also because of the removal of the loop in isolateNetwork(), the timing is drastically improved:

   CURRENT		  NEW
Creation of the 50th network:
real	0m3.035s	0m0.146s
user	0m0.004s	0m0.008s
sys	0m0.004s	0m0.000s

Creation of all 50 networks:
real	0m43.785s	0m6.931s
user	0m0.336s	0m0.324s
sys	0m0.084s	0m0.148s

Pruning of the 50 networks:
real	1m2.136s	0m7.342s
user	0m0.004s	0m0.000s
sys	0m0.008s	0m0.016s

[mrjana]

Refactor this to something like this:

for i, chain := range chains {
     iptables.ProgramRule(..., chain, action, rules[i])
    ....
}

[aboch]

Ok, I will change it, thanks.

[mrjana]

Please rename DOCKER-ISOLATION-REV chain name and IsolationChain2 variable to something more meaningful. Right now no one will understand what they are for.

[aboch]

I thought REV for reverse as it goes had in hand with DOCKER-ISOLATION chain.
One filter by source, the other one by destination.
I chose a short suffix because the chain name is already long.

Would expand it to DOCKER-ISOLATION-REVERSE make it better ?

Or should I change also the existing one and have two different suffixes, like FORWARD and REVERSE or SRC and DST ?

In the meantime I will replace the variable names to something more descriptive. Or I will add a comment.

[mrjana]

Shouldn't you have to rollback the rule #1 if there is a failure in plumbing rule#2?

[aboch]

Yes we should. Thanks.

[aboch]

Thanks @mrjana for the comments. I think I addressed them. PTAL.
I verified the old chain and jump rule are removed at boot.

[mrjana]

LGTM

[GordonTheTurtle]

@aboch It has been detected that this issue has not received any activity in over 6 months. Can you please let us know if it is still relevant:

• For a bug: do you still experience the issue with the latest version?
• For a feature request: was your request appropriately answered in a later version?

Thank you!
This issue will be automatically closed in 1 week unless it is commented on.
For more information please refer to #1926

[aboch]

@aboch It has been detected that this issue has not received any activity in over 6 months. Can you please let us know if it is still relevant:

For a bug: do you still experience the issue with the latest version?

Yes

For a feature request: was your request appropriately answered in a later version?

No

[AkihiroSuda]

What's current status of this?

@aboch @mrjana

[AkihiroSuda]

@fcrisciani @ctelfer @thaJeztah

Any chance to get this merged? 🙏

[fcrisciani]

@AkihiroSuda there is conflicts so we will need someone to take this patch over, will try to see if there is someone able to follow up on this

[thaJeztah]

@AkihiroSuda are you interested in carrying this?

[AkihiroSuda]

carried as #2117

[fcrisciani]

closing because carried in another PR